The two men, who are friends, were identified as part of a lengthy investigation conducted by the Metropolitan Police Cyber Crime Unit, which is part of its Fraud and Linked Crime Online Unit, also known as Falcon.

The judge noted that neither man had found or exposed the flaw that allowed them to exploit TalkTalk's site, but said that "you at different times joined in."

In November 2016, a 17-year-old boy in the U.K. admitted to using an automated tool that flagged the vulnerability in TalkTalk's systems, and sharing it with others, the BBC reported.

Multiple Arrests

All told, police have arrested six individuals, including a teenager in Northern Ireland, in connection with the TalkTalk hack. BAE Systems, which TalkTalk hired to investigate and remediate the breach, has reportedly estimated that up to 10 individuals may have been involved.

An investigation conducted by the Information Commissioner's Office - Britain's data privacy watchdog - found that the hacks resulted in personal data being exposed for almost 157,000 TalkTalk customers, plus bank accounts and sort codes for more than 15,000 customers. The exposed personal data included name, address, date of birth, telephone number, email address and financial information.

Hackers' Incriminating Skype Chats

Hanley was arrested on Oct. 30, 2015, just nine days after TalkTalk determined it was hacked. Hanley's computers and hard drives were seized and subjected to a digital forensic investigation. Detectives said they found that some devices and hard drives had either been wiped or encrypted, but said they were able to recover at least some of the data.

Police also identified incriminating chat messages, including an exchange via Skype in which Hanley told Allsopp: "Be careful with that dump, don't sell unless £1,000+ and you didn't get it from me," prosecutors told the court on Friday, during a sentencing hearing for both men, Birmingham Mail reports.

Met Police had previously noted that "detectives discovered conversations where Hanley had been discussing his involvement and actions in hacking into TalkTalk's website and also discussing how he had deleted incriminating data from his computers and encrypted his devices in order to cover his tracks."

Hanley pleaded guilty on April 26, 2017, to violating the Computer Misuse Act; accessing the TalkTalk site from Oct. 18 to 25, 2015, including hacking a TalkTalk database; as well as "obtaining files to enable the hack of websites and supplying these files to others," according to the Met Police. He also admitted to sharing a spreadsheet that contained TalkTalk customers' details for fraudulent purposes.

Allsopp was arrested in April 2016 and pleaded guilty on March 30, 2017. Police said that when they presented him with his chat logs with Hanley, he admitted to having tried and failed to sell the stolen TalkTalk customer data as well as details of the vulnerability on TalkTalk's website.

'Risk of Fraud'

"Hanley hacked into TalkTalk's database with the sole intention to steal customer personal data and sell it to criminals and fraudsters for his and Allsopp's financial gain. Allsopp was a willing participant in the crime. If successful, this could have put thousands of people at risk of fraud," says Detective Constable Rob Burrows from the Met's Falcon Cyber Crime Unit.

"Hanley thought he was clever covering his tracks, concealing and destroying evidence on his computers. However the extensive investigation, specialist skills and technical expertise utilized by our team led to the identification of these two virtual offenders, bringing them into the 'real world,'" says Burrows, who was the lead investigating officer in the TalkTalk hacking case. "This secured overwhelming digital evidence leading to the guilty pleas and sentencing."

The U.K.'s National Crime Agency also participated in the investigation, and officials have said TalkTalk provided essential assistance.

"Regardless of the efforts and techniques deployed by cybercriminals to conceal their identities and activities, they will leave a trace and will be identified, pursued and prosecuted," he says.

TalkTalk's Security Failures

The ICO's investigation into the TalkTalk breach concluded that the telecommunications giant, which trades on the London Stock Exchange, had violated Britain's Data Protection Act by failing to put proper security measures in place to safeguard user data. As a result, the ICO hit TalkTalk with a £400,000 ($515,000) fine, which was a record at the time (see: TalkTalk Breach Investigation: Top Cybersecurity Takeaways).

"TalkTalk's failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk's systems with ease," Information Commissioner Elizabeth Denham said in a statement at the time. "Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."

TalkTalk was hacked in 2015 via SQL injection attacks against a database that was originally created by Italian telecommunications firm Tiscali, the ICO's investigation found. TalkTalk acquired Tiscali's U.K. operations in 2009 but failed to properly catalog and manage the related infrastructure, the ICO's report said. When the MySQL open source SQL database management system in question was hacked in 2015, TalkTalk hadn't yet updated it with a critical MySQL patch that was released in 2012, according to the report.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.